What is shadow IT and why is it a risk?
Shadow IT, software used by employees without IT approval, is bigger and more dangerous than most organisations realise. What it is, how it develops, and how to tackle it.
- 1 October 2024
- 5 min
Shadow IT is one of the largest blind spots in enterprise software management. The term refers to all technology, software, apps, cloud storage, and communication tools that employees use without explicit approval from IT or procurement. And it is growing faster than most organisations realise.
How does shadow IT arise?
Shadow IT almost always arises from a genuine problem. An employee needs a tool to do their job, the approval process takes too long, or the alternative offered by IT is inconvenient. The quickest solution is to create a free account or put a small subscription on the company credit card.
What starts as one person using one tool quickly grows. Colleagues join in, files are shared via unauthorised platforms, and sensitive company data ends up on servers outside the EU, often without anyone noticing.
Why is shadow IT a problem?
Shadow IT has three concrete consequences:
1. Security risks. Unapproved tools are not screened for security, not updated, and not monitored. They represent an open door for data breaches and cyber attacks.
2. Compliance risks. Data processed via unapproved tools falls outside the organisation’s GDPR oversight. In the event of a data breach, the organisation remains liable.
3. Waste. Organisations pay for centralised tools while employees use free or cheap alternatives alongside them. Consolidation is impossible without clear oversight.
Shadow IT and NIS2
With the introduction of NIS2, shadow IT becomes an even greater risk. The duty of care requires organisations to maintain an up-to-date overview of all software and suppliers, including tools purchased outside formal procurement processes. Shadow IT by definition makes this overview incomplete.
How do you tackle shadow IT?
The approach does not start with banning but with understanding. Why do employees use certain tools? What is missing from the approved offering? Only when you answer these questions can you consolidate effectively and improve the formal software offering.
Practical steps: analyse credit card statements and invoices for unknown software subscriptions, conduct an employee survey on tools used, and relay findings back to IT and procurement for a consolidated approach.
Frequently Asked Questions
The most commonly asked questions on this topic.
What exactly is shadow IT?
Shadow IT is all the software and technology that employees use without the knowledge or approval of IT or procurement. Think of free tools, personal cloud storage, or unauthorised communication platforms.
How big is the shadow IT problem in the average organisation?
Research shows that on average 40-60% of SaaS tools in an organisation are not centrally managed. The true extent of shadow IT is consistently underestimated.
How do I discover which shadow IT exists in my organisation?
Start with a software audit using credit card statements, invoice analysis, and an employee survey. Additionally, tools like Zylo, Torii, or Blissfully can help automatically detect SaaS usage.
Ready to save on software?
SoftVaro negotiates the best deal for you with over 4,000 suppliers. Independent, transparent, within 24 hours.